Login Sign Up

CVE-2024-5722

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers on the same network to execute arbitrary code as root on Logsign Unified SecOps Platform installations without authentication. The flaw exists in the HTTP API due to a hard-coded cryptographic key. All organizations running vulnerable versions of Logsign Unified SecOps Platform are affected.

💻 Affected Systems

Products:
  • Logsign Unified SecOps Platform
Versions: Versions prior to 6.4.8
Operating Systems: Linux-based deployments
Default Config Vulnerable: ⚠️ Yes
Notes: The HTTP API is typically enabled by default. Network-adjacent access is required (same subnet/VLAN).

📦 What is this software?

Unified Secops Platform by Logsign

View all CVEs affecting Unified Secops Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level code execution, allowing attackers to steal sensitive security data, pivot to other systems, or deploy ransomware.

🟠

Likely Case

Attackers gain persistent access to the security platform, disable monitoring capabilities, and use the compromised system as a foothold for lateral movement.

🟢

If Mitigated

Limited impact if network segmentation prevents adjacent attackers from reaching the Logsign API, though the vulnerability remains present.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

ZDI has published technical details (ZDI-24-614). The hard-coded key makes exploitation straightforward once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.8

Vendor Advisory: https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Logsign Unified SecOps Platform version 6.4.8 from vendor portal. 3. Follow vendor upgrade documentation. 4. Restart services after upgrade.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Logsign HTTP API to only trusted management networks

iptables -A INPUT -p tcp --dport <api_port> -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport <api_port> -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit API access to authorized IPs only
  • Monitor for unusual API access patterns and failed authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Logsign version via web interface or command: grep 'version' /opt/logsign/version.txt

Check Version:

cat /opt/logsign/version.txt

Verify Fix Applied:

Confirm version is 6.4.8 or later and test API functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests from unexpected source IPs
  • Failed authentication attempts followed by successful API calls
  • Process execution logs showing unexpected root-level commands

Network Indicators:

  • HTTP requests to API endpoints from non-management subnets
  • Unusual outbound connections from Logsign server

SIEM Query:

source="logsign" AND (http_method="POST" OR http_method="PUT") AND uri_path="/api/*" AND src_ip NOT IN (management_subnets)

📊 Metadata

CVE ID: CVE-2024-5722
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-321
Published: November 22, 2024
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5722, you might also want to check these:

CVE-2024-30207 10.0

This vulnerability affects multiple SIMATIC RTLS Locating Manager products where communication betwe...

Same vulnerability type (CWE-321)
CVE-2025-34256 9.8

This vulnerability allows remote unauthenticated attackers to forge JWT tokens using a hard-coded cr...

Same vulnerability type (CWE-321)
CVE-2026-25894 9.8

An insecure default configuration in FUXA web-based SCADA/HMI software allows unauthenticated remote...

Same vulnerability type (CWE-321)